Using git attributes to exclude files from your release

Exclude files from your exports

Deploying your development codebase to production seems like it has been solved many different ways, and often those ways are terrible from a security perspective.

Clone the whole repository on the production webservers

Quite possibly the worst idea ever, as not only is every single file on the production web servers, also every single revision of every single file is on the web server. Even worse, if the root .git directory is accessible over HTTP, the whole website can be cloned over HTTP as well.

Yes you can remove the .git directory, but this will not solve all your problems.

Use git archive to create a snapshot of the repository

One step better is to create just a snapshot of the repository using git archive. You can create a snapshot easily using git archive

Zip format

git archive master -o latest.zip

Compressed tar format

git archive master | bzip2 -9 > latest.tar.bz2

this will still contain files you do not want on the webserver, e.g.

.gitignore

.gitattributes

potentially other redundant files that are not needed on production

Using git attributes combined with git archive

We have recently switched to using git attributes on all releases to ensure only the needed files for production are sent there during a release.

The sample git attributes file is rather long and exhaustive, and it covers a wide range of core and contributed modules for Drupal 7. The plupload module is especially dangerous, as the library actually comes with several PHP scripts that if your webserver allowed it to execute, it would allow anyone (anonymous included) to upload unlimited files to the webserver.

You could take the export to the next level and remove several core PHP files from the release like:

cron.php

install.php

update.php etc

Comments

If you have any suggestions for improvements, let me know in the comments.